使用OAuth2客户端凭据流保护用PHP编写的REST API
[英]Securing a REST API written in PHP with OAuth2 client credentials flow
问题描述
I am writing a REST API in PHP using Symfony2. 
我正在使用Symfony2在PHP中编写REST API。 This API is intended to be used by individual websites to access data and this will be done by a client side library. 此API旨在供各个网站用于访问数据,这将由客户端库完成。
I need to secure the API however and this is proving to be a bit confusing. 我需要保护API,但事实证明这有点令人困惑。 I have done some research and as far as I can tell, a good way seems to be to use OAuth2 with the client credentials flow (see RFC draft). 我做了一些研究,据我所知,一个好方法似乎是使用OAuth2和客户端凭证流(参见RFC草案)。 I have to admit, I am still fuzzy on the details of how exactly this works but I keep reading that it is so simple. 我不得不承认,我对这究竟是如何工作的细节仍然很模糊,但我一直在阅读它是如此简单。 I suppose my first question is: Is this the way to go or have I gone off in the wrong direction? 我想我的第一个问题是:这是走的路还是我朝错误的方向走了? Should I use some other method for authenticating clients? 我应该使用其他方法来验证客户端吗? Please bear in mind that I need identity, authentication and authorisation. 请记住,我需要身份,身份验证和授权。
If yes, OAuth2 using the client credentials is the way to, then I ask: What is the best way of accomplishing this in PHP? 如果是,使用客户端凭据的OAuth2就是这样,那么我问:在PHP中实现这一点的最佳方法是什么? Has anyone actually done this? 有人真的这样做过吗? So far I have been trying to use oauth2-php along with a bundle without too much luck. 到目前为止,我一直在尝试使用oauth2-php以及没有太多运气的捆绑 。 That bundle seems to focus on 3-legged authentication although I am not quite sure. 虽然我不太确定,但该捆绑似乎专注于三足认证。 I was wondering if the best course of action would be to do it manually using the oauth2-php package perhaps? 我想知道最好的行动方案是使用oauth2-php软件包手动吗?
I would greatly appreciate any information on this. 我非常感谢有关这方面的任何信息。 Thanks in advance! 提前致谢!
1 个解决方案
解决方案1
4 2012-07-09 20:31:11
Heidar, 海达尔,
I am currently working on a similar project and this is what I found so far. 我目前正在开展一个类似的项目,这是我到目前为止所发现的。
Oauth is officially to authorize a website with a other resource on the web, Facebook found the whole seperation of autorization and authentication to confusing for its developer base, and started using Oauth for both. Oauth正式授权一个网站上有其他资源的网站,Facebook发现整个分离的自动化和身份验证让其开发人员基础混乱,并开始使用Oauth。 Since it its a major player developers have been tagging on. 因为它是开发人员一直在标记的主要参与者。
Even though I am not really sure what you mean with the Identity part in your statement, that you need "identity, authentication and authorisation." 即使我不确定您在声明中对Identity部分的意思,您还需要“身份,身份验证和授权”。
You can use Oauth for the other two, deducted from the fact that all big internet companies do so (best I can do for you on this front,Oauth docs say it is only for Authorization). 你可以将Oauth用于其他两个,从所有大型互联网公司这样做的事实中扣除(我能在这方面为你做的最好,Oauth docs说它只适用于授权)。
Google offers a client library that is maintained quite well: http://code.google.com/p/google-api-php-client/wiki/OAuth2 Google提供了一个维护良好的客户端库: http : //code.google.com/p/google-api-php-client/wiki/OAuth2
further more, for server side library I would turn to oauth2-php as you refer to, at https://github.com/quizlet/oauth2-php But please see this post for more details: Are there OAuth 2 server side PHP or Java implementations? 更进一步,对于服务器端库,我将转向oauth2-php,如你所指,在https://github.com/quizlet/oauth2-php但是请看这篇文章了解更多细节: 是否有OAuth 2服务器端PHP或Java实现?
and on the part of the 3-legged authentication please see the answer here (it's really extensive but explains it well) OAuth 2.0: Benefits and use cases — why? 在三条腿的身份验证方面,请看这里的答案(它真的很广泛,但解释得很好) OAuth 2.0:好处和用例 - 为什么?
Please keep in mind though that I am still struggling with actually implementing this. 请记住,尽管我仍然在努力实现这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.